Don’t go to the app store

Editor’s note: This article is from WeChat public account “qubit< /a>”(ID:QbitAI), the author of the fish and sheep.

The threat from smart speakers is not limited to the official collection of recordings.

Third-party applications that are securely verified by Amazon Alexa and Google Home are now proven to be secretly eavesdropping on users and stealing user passwords.

Recently, the German Safety Research Laboratory (SRLabs) announced their research on smart speaker hacking solutions.

SRLabs’ white hat hackers have developed eight applications that are disguised as horoscope search applications and random number generators, but in fact, they are all “secret spies” that can secretly eavesdrop on user conversations and steal users. password.

With no exception, they all passed the security review of Amazon and Google, and they went to the app store.

Fabbian Bräunlein, Senior Security Consultant at SRLabs, said:

This means that not only manufacturers, but also hackers can abuse voice assistants to invade the privacy of users.

secret spy

Either Amazon’s Alexa or Google’s Google Home allow third-party developers to access the user’s voice input. For example, a horoscope query application, users can call the application through a specific phrase such as “Alexa, open ‘My horoscope’”.

Through the standard development interface, the researchers found that they can steal user privacy in two ways, and will not be captured by Amazon and Google:

  • Request and collect personal data including user passwords

  • Continue to eavesdrop on users after they think they have stopped listening

Taking the “random number generator” as an example, after Google Home replied to the user’s query, said “goodbye” and sounded the end tone, the malicious application above did not really see you. Instead, it keeps track of all conversations within the device’s sound range and sends them to the hacker.

Eavesdropping application can pass security audit: smart speaker becomes

And in another “horoscope search application”, when you ask the application “What is the lucky sign today?”, it pretends to answer “Your country is not in the service area” and then it is closed. No! After a minute or two of silence, it will pretend to be Alexa or Google Home ontology, claiming that a device update is available, prompting you to enter your password!

Eavesdropping applications can pass security audits: smart speakers become

Eavesdropping applications can pass security audits: smart speakers become

In other words, hackers can manipulate the “stop” and “start” commands under Amazon’s and Google’s eyelids, blinding users, and listening to you and recording you if the user doesn’t know it.

Official response

At present, SRLabs has reported the results of this study to Amazon and Google. The two companies have removed the applications and said they are stepping up the review process to avoid the real sinisters exploiting these rule vulnerabilities.

Amazon responded by saying:

Customer trust is important to us and we conduct security reviews during third-party application certification. We have taken preventive and proactive measures against the problems discovered by SRLabs in case they happen again.

Google also said:

We are taking other mechanisms to prevent this from happening again in the future.

It is reported that Google is reviewing all third-party applications on smart speakers.

Google and Amazon both mentioned in the statement: Smart speakers will never require users to provide an account password.

One More Thing

This is no longerSmart voice devices such as smart speakers rolled over for the first time.

In April of this year, Amazon was exposed that its smart voice assistant Alexa and the user’s conversations were recorded. Amazon employees will also hear these recordings to develop new services.

Google Voice Assistant Assistant and Apple Siri have also been released before, and the communication recording with the user will be sent to the outsourcing company. The recording is not desensitized, and the privacy information such as user address and emotional life can be identified through its content.

This time, it’s not just the official, the hackers can also plug in.

Eavesdropping applications can pass security audits: smart speakers become

Now, smart devices have penetrated into every aspect of people’s lives. They are powerful but have many holes.

As SRLabs said, users should be aware of the dangers and be more cautious when using new voice applications. But more importantly, AI voice assistant manufacturers should pay more attention to security issues and adopt more powerful protection measures to protect users’ privacy.